DDoS Attacks Get Trickier, Traditional Defenses Fall Short

Popular methods of defense from Distributed Denial of Service (DDos) attacks have proven comically easily to circumvent.

Distributed Denial of Service (DDoS) attacks -- that is, an attempt to make a site or service unresponsive to the intended users by saturating the network with illegitimate traffic - will continue to wreak havoc on financial institutions thanks to advancing techniques and easy security workarounds.

Recent attacks show the scale of DDoS attacks has continued to rise to the point that millions of compromised computers are sending traffic to a single web server. A single attack in January of last year sent the equivalent traffic of the transatlantic fiber optic cables, a force no web server in a data center can cope with.

"You would need some pretty sophisticated defense mechanisms to stop that traffic, and much further upstream," says Chris Camejo, director of assessment services at NTT Com Security.

Unfortunately, a common means of protection has proven easily circumventable. Camejo explains organizations frequently turn to a contracted third party service to hosts web servers, filter out bad traffic and detect DDoS attacks before they hit the real web server. It's the equivalent of changing the phone number to an answering service that screens calls before legitimate calls are forwarded to you.

"It works great as long as nobody knows your actual phone number in that analogy," he explains. "The web service is still out there. It's still accessible from the Internet. With a little bit of research, it's usually not terribly difficult to find out where that actual web server is located. Even though publicly they're saying all traffic should go through this third party service, there's nothing preventing me from just DDoS-ing the web server directly because I found its real address. I can just connect to it directly. That's something that a lot of organizations have been overlooking."

The Ransom

The unfortunate reality is many firms aren't even aware it is a victim until it receives an e-mail with a ransom note for money or information in exchange for putting the site back online. Attackers will also use the botnets that deploy these DDoS attacks to try to hijack online banking sessions and obtain financial account credentials.

A recent DDoS attack on Meetup.com hit headlines when CEO Scott Heiferman refused to pay hackers a $300 ransom to restore the site. As a result the social site was offline for nearly four days. Heiferman told Reuters he worried paying the ransom would encourage the cyber criminals to demand more money in another round of attacks.

The financial industry has had years of experience with these sorts of attacks - perhaps best highlighted by "Operation Payback," when the hacktivist group Anonymous DDoSed credit cards companies after they stopped permitting the use cards to make donations to WikiLeaks. These headlined incidences helped firms rally the resources to protect against this sort of attack.

"I would say the larger financial institutions are in good shape," says Camejo. "Where it gets tricky is the smaller institutions that may not have the kind of resources that Visa or MasterCard or a big bank like Bank of America has. They may not realize this type of attack is out there, they may not realize how powerful these types of attacks are." He adds that there's been a wave of DDoS attacks on credit unions over the last year.

Conversation around the Meetup.com attack revealed more sophisticated techniques by attackers. The attackers were most likely part of some sort of Eastern European criminal element, adds Camejo.

It used to just be that they would send a ton of traffic in somebody's direction and flood the web server, he explains. "But as the anti-DDoS technology has gotten better, they've gotten a bit more sneaky about it. Instead of just blasting it with traffic, now with some of the techniques they'll actually connect to a web server and pretend like they're trying to access the webpage and start downloading data from the webpage, but do it very, very slowly. Thereby forcing the web server to keep that connection open and it makes it harder to detect than the old school method."

Distribute the Risk

One of the biggest issues around security is that nobody really thinks about risk, he adds. There's a tendency to say all of the product is valuable and worthy of protection, but the cost of protecting all data can be overwhelming and causes firms too often to throw up their hands and do nothing, or too little.

Camejo is a proponent of separating the components of a website, and hosting the sites on different infrastructures protected by degree of value to the business. A landing page, for example, would be a shame to see DDoSed and shutdown, but it would not be nearly as detrimental as the loss of actual online banking pages people access on a daily or hourly basis to transfer funds, pay bills, and check balances. And if the landing page is breached, there is less concern they can use the same channels to access customer accounts.

"Decide where downtime is more terrible, and invest in the security of that application," he suggests. "Put it on a separate infrastructure. But in order to make those sorts of decisions you would have to sit down as an organization, sit down and think about which systems are actually worth money to us, which systems are going to cost us lots of money if they go down, which systems are we willing to let go down for how long. Make all those decisions in advance because when it's in the middle of an attack and sites are down and ransom demands are coming in via email; that's not the time to be making those sorts of decisions."
Becca Lipman is Senior Editor for Wall Street & Technology. She writes in-depth news articles with a focus on big data and compliance in the capital markets. She regularly meets with information technology leaders and innovators and writes about cloud computing, datacenters, ... View Full Bio

I believe employees are the weakest link in any bank's security chain. This includes competency, fraud, complacency and "moral turpitude". Any organization whose sole purpose is to process money be it banks, credit card companies or even some government agencies risk these same deficiencies. It suggest most organizations should first look within as the most egregious fraudulent breaches have been perpetrated from within.

Unfortunately, there's not much banks can do about the ignorance of their customers who open themselves up to the malware. It always seems to be the case that the best defense systems can be brought down by a single innocent but ignorant move.

Yeah we're seeing that in the consumer fraud space. Banks built great online defenses to prevent cyber fraud, and now the fraudsters are getting into customer accounts by tricking human agents with new schemes. Where there's a will, there's a way.

The hackers and fraudsters will always go for the path of least resistance or the lowest hanging fruit. So, banks need to be continually upping their security standards. It's been like this for a while, but it seems as though the trend is accelerating as the hackers get smarter (and as the banks get better with their own security.)

I think it's already happening. Camejo says the credit unions have seen a rise in attacks. I can't speak for their security but I imagine across the board they are less equip than BofA. Meetup.com, for example is a mid-size social media site, I guess it is not employing the same security measures as Facebook!

A very expensive game of cat and mouse. The sad thing is there are going to be laggards, the smaller firms with less resources for security, who are always a few steps behind the innovative players, so they will rarely be secure enough to compete.

This underscores the harsh reality that best practices around security today may be obsolete tomorrow. Banks know (or should know) better than anyone that hackers and fraudsters are increasingly sophisticated and organized -- you're less likely to be dealing with a disgruntled individual than with a network of organized and profit-minded criminals.So it seems like security management has to evolve into a very dynamic approach where strategies and tools are changing all the time as banks strive to stay at least a step ahead of the fraudsters.